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REAL PAR TY IN T]VT1?:WTrCT 

The real party m interest in this appeal is the following party: Intemational Business 
Machines Corporation. 
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RELATED APPEALS AND INTERFERENCES 

With respect to other appeals or interferences that will directly afTect, or be directly affected 
by, or have a bearing on the Board's decision in the pending appeal, there are no such appeals or 
interferences. 
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STATUS OF CLAIMS 



A. TOTAL NUMBER OF CLAIMS IN APPLICATION 

Claims in the application are: 1-5 and 7-14 



B. STATUS OF ALL THE a.AIMS IN APPLICATION 

1. Claims canceled: 6 

2. Claims withdrawn from consideration but not canceled: None 

3. Claims pending: 1-5 and 7-14 

4. Claims allowed: None 

5. Claims rqected: 1 -5 and 7-14 

6. Claims objected to: None 

C. CLAIMS ON APPEAL 

The claims on appeal arc: 1-5 and 7-14 
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STATUS OF AMENDMENTS 
No amendments were filed after the first final office action of January 25, 2005. 
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SUMMARY OF CLAIMED SUBJECT MATTER 

A. CLAIM 1 « INDEPENDENT 

The following explatiation of the subject matter of claim 1 does not limit or otherwise 
modify claim 1 as presented in the appendix of claims. The subject matter of claim 1 is directed 
to a method of defeating a SYN flooding attack in a server computer, A SYN flooding attack is a 
type of denial of service attack* A denial of service attack attempts to overwhelm a server with a 
vast number of spurious communications. The SYN flooding attack may be used with a 
distributed denial of service attack, in which a malicious user can take over a vast number of 
computers to direct an automated attack against any computer connected to the Internet. 

The SYN flooding attack, in particular^ uses the normal SYN-ACK process that allows a 
client to establish a tmtismission control protocol (TCP) connection to a server. During the 
normal process, the client sends a SYN (synchronizing sequence number) message to a server. 
The server then acknowledges the SYN message by transmitting a SYN-ACK message to the 
client. The client then finishes establishing the connection by responding with an ACK 
(acknowledgement) message to the server. The connection between the client and the server is 
then open such that service-specific data may be exchanged between the client and the server. 
During a SYN flooding attack, thousands or even millions of SYN messages are transmitted to a 
server from many different client computers. The server, which has a limited capability for 
handling SYN messages, becomes ove^rwhelmed. The server cannot process legitimate traffic or 
processes legitimate traffic slowly. The server may also shut down or freeze as a result of the 
attack. 

The method of claim 1 solves this problem by, among the other claimed steps, computing 
an initial sequence number receiver side (ISR), embedding the ISR in the SYN-ACK message, 
and responsive to receiving an ACK message, determining whether to establish a transmission 
control block for the client by evaluating an incremented value of the ISR included in the ACK 
message. Thus, the denial of service attack is much more likely to be defeated. 
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B. CLAIM 7 - INDEPENDENT 

The subject matter of claiin 7 is similar to the subject matter of claim 1. Claim 7 
includes, among the other claimed steps, the step of responsive to evaluating the value of the 
initial sequence number receiver side as an authentic computed initial sequence number receiver 
side, allocating resources for a transmission control protocol connection according to content 
specified in a previously received SYN message. 

C. CLAIM 11 -INDEPENDENT 

The subject matter of claim 1 1 is similar to the subject matter of claim 1 . Claim 1 1 is 
directed to a computer program product for defeating a SYN flooding attack. 

D. CLAIM 14 - INDEPENDENT 

The subject matter of claim 14 is similar to the subject matter of claim ] . Claim 14 is 
directed to a system for defeating a SYN flooding attack. 
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GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

A. GROUND OF REJECTION 1 (Claims 1-5 and 7-14) 

Claims 1-5 and 7-14 stand rejected under 35 U.S.C. § 102(e) as anticipated hyDenker, 
CoTmnunication Prptocol with Tmuroved Security, U.S. Patent 5,958,053 (Sep, 28, 1999). 
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ARGUMENT 

A- GKOUND OF REJECTION 1 (Claims 1-5 and 7-14) 
A.l. Claim 1 

The exammer rejects claim 1 as anticipated by Denker, Communication Protocol with 

Improved Security. U,S, Patent 5,958,053 (Sep. 28, 1999). The examiner states that: 

As to independent claim 1, **A method for defeating, in a server unit of 
an Internet Protocol network, a SYN flooding attack, said server unit 
running Transport Control Protocol to allow the establishment of one 
or more transmission control protocol connections with one or more 
client units^ said method comprising the steps of: upon having 
activated the transmission control protocol in said server unit:" is 
taught in *053 col. 4, lines 44-55; 

"listening for the receipt of a SYN message sent from a client unit" 
and "resuming to said listening step" is shown in col. 6, lines 59-60; 

"upon receiving said SYN message: computing an Initial Sequence 
number Receiver side; wherein said Initial Sequence number Receiver 
side is embedded with connection parameters specified in the SYN 
message; responding to said client unit with a SYN-ACK message 
including said computed said Initial Sequence number Receiver side;^ 
is disclosed in coL 4, line 58 through coL 5, line 43; 

"responsive to receiving an ACK message, determining whether to 
establish a transmission control block for the client unit by evaluating 
an incremented value of the Initial Sequence number Receiver side 
included in the ACK message^ is shown in '053 coh 5, lines 37-43. 
Office Action of Januaiy 25, 2005, p. 3-4 (emphasis in original). In the response to arguments 

section of the final office action, the examiner stales that: 

hi response to applicants argument on page 10 "Thus, Denker (*053) fails 
to describe or suggest a mechanism for embedding an initial sequence 
number receiver side "with connection parameters specified in the 
SYN message". The Office disagrees. '053 shows embedding an initial 
sequence number in coL 4, line 63 through col. 5, line 43 *This ACK 
message (in addition to the infomiation required by standard TCP) 
includes the encoded value and repeats the clients requested options. A 
counter associated with each address in the Friends Tabic can be used to 
keep track of the number of successful connections established.'" 

In response to applicants' argument on page 10, the reference does not 
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describe "determining whether to establish a transmission control 
block for the client unit by evaluating ao incremented value of the 
Initial Sequence number Receiver side included in the ACK message*" 
The Office disagrees. *053 show evaluating the incremented value in col. 
5, lines 37-1 3 "A counter associated with each address in the Friends 
Table can be used to keep track of the number of successful connections 
established as compared to the total number of connection requests from 
the client, and allow the server to expunge the clicnt*s address ftom the 
Friends Table if there are too many unsuccessful connection attempts/' 
Office Action of January 25, 2005, p. 2-3 (emphasis m original). 

A prior art reference anticipates the claimed invention under 35 U.S.C. § 102 only if 
every clement of a claimed invention is identically shown in that single reference, arranged as 
they are in the claims. In re Bond, 910 F,2d 831, 832, 15 U.S.P.Q.2d 1566, 1567 (Fed, Cir. 
1990). All limitations of the claimed invention must be considered when determining 
patentability. In reLowry, 32 F.3d 1579, 1582, 32 U.S.P.Q.2d 1031, 1034 (Fed. Cir. 1994). 
Anticipation focuses on whether a claim reads on the product or process a prior art reference 
discloses, not on what the reference broadly teaches, Kalman v. Kimberly-Clark Corp., 713 F.2d 
760, 218 U.S.P.Q. 781 (Fed Or. 1983). 

Claim 1 is presently as follows: 

1, A method for defeating, in a server unit of an Internet Protocol 
network, a SYN flooding attack, said server unit running Transmission 
Control Protocol to allow the establishment of one or more transmission 
control protocol connections with one or more client units, said method 
comprising the steps of: 

upon having activated the transmission control protocol in said 
server unit, 

listening for the receipt of a SYN message sent from a client unit; 
upon receiving said SYN message, 

computing an Jnitial Sequence number Receiver side, wherein said 
Initial Sequence number Receiver side is embedded with 
connection parameters specified in the SYN message; 

responding to said cHent unit with a SYN-ACK message including 
said Initial Sequence number Receiver side; 

resuming to said listening step; and 

responsive to receiving an ACK message, determining whether to 
establish a transmission control block for the client unit by 
evaluating an incremented value of the Initial Sequence 
number Receiver side included in the ACK message. 
Denlcer does not anticipate claim 1 because Denker does not show or suggest the claimed 

step of: responsive to receiving an ACK message, determining whether to establish a 
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transmission control block for the client unit by evaluating an incremented value of the Initial 

Sequence number Receiver side included in the ACK message. j 

The examiner states otherwise in both the initial rejection and in the response to arguments, 

citing from Danker as follows: 

According to TCP2E, if the clients address is on the server's Friends 
Table, the connection request (i.e., received SYN message) is processed 
according to TCP. A counter associated with each address in the Friends 
Table can be used to keep track of the number of successful connections 
established as compared to the total number of connection requests from 
the client, and allow the server to expunge the client *s address from the 
Friends Table if there are too many unsuccessful connection attempts. 
Denker, col. 5» 1. 34-43 (emphasis shows portion cited by the examiner). 

However, the examiner's characterization of the cited portion ofDenker is incorrect. The 
cited portion of Denker states that a counter is associated with each address in a friends tabic. 
The friends table is used to track the number of successful connection requests from the client. 
In contrast, the claimed step requires determining whether to establish a transmission control 
block in the first place by evaluating an incremented value of the Initial Sequence number 
Receiver side included in the ACK message. 

The cited portion in Denker does not $how or suggest a step of determining whether to 
establish a transmission control block for the client by evaluating anything included in the ACK 
message, as claimed. Instead, the cited portion of Denker teaches a friends table that tracks 
addresses of chcnts for which a connection has already been made^ Any number being 
incremented by Denker is not associated with the ACK message as claimed, because the ACK 
message is required to estabUsh the connection in the first place. In other words, the friends table 
taught in Denker has nothing to do with determining whether to establish a transmission control 
block, as claimed. Thus, the cited portion of Den/cer does not show or suggest determining 
whether to establish a transmission control block by evaluating an incremented value of the 
Initial Sequence number Receiver side, as claimed. 

In addition, the cited portion of Denker does not show or suggest determining whether to 
establish a transmission control block for a client by evaluating an incremented value of the 
Initial Sequence number Receiver side. Instead^ Denker deterrnines whether to establish a 
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transmission control block by performing an unspecified matheiaatical j&inction on both the 

client address and a "secret " which may be a random number, as shown by the following 

passages from Denker: 

Lq the TCP2B protocol according to an embodiment of the present 
invention, the cUent requests a TCP connection with a server using a SYN 
message. The client indicates its support for the TCP2B protocol of the 
present invention using one or more bits of the TCP header (such as the 
OPT field). Tn response to receiving the SYN message, the server then 
sends a SYNACK message indicating the server's support for the TCP2B 
protocol. 77ie SYNACK message includes an encoded value as a 
mathemalicat (Le,, cryptologic) function of at least the client's address and 
a secret known only to the server. In response to the SYNACK message 
indicating the server's support for TCP2B, the client sends an ACK 
message to the server. This ACK message (in addition to the information 
required by standard TCP) includes the encoded value and repeats the 
client's requested options. The server then analyzes the encoded value in 
the ACK message to determine if it passes the appropriate mathematical 
(i.e., cryptologic) test. If the encoded value included in the ACK message 
passes ike appropriate mathematical test, then the client is properly 
complying with the TCP2B protocol, and the server allocates a full 
Transmission Control Black in memory, and the connection becomes fiilly 
established, 

Denker, col. 4, 1. 53 through coL 5^ 1. 8 (emphasis supplied). 

If the client's address is not on the server's Friends Table, the server 
calculates an encoded value. The encoded value is calculated as the 
mathematical function of at least the client's address and a secret (i,e., a 
random number) known only to the server. The server sends an ACK 
message to the client including the calculated encoded value as the 
acknowledgment number. Because the acknowledgment number does not 
acknowledge any messages previously sent by the client, this ACK 
message appears to the client as a half-open connection. The client 
responds by sending a reset message to the server, as required by the 
standard TCP specifications. If the reset message passes a mathematical 
test at the server, the server adds the client's address to the Friends Table. 
Then, in accordance with standard TCP, the client will again attempt to 
establish a TCP connection with the server by re-issuing the SYN message 
to the server. This SYN message (or packet) vnU be welcomed by the 
server, since the client's address is now in the Friends Table. 
Denker, col. 5, 11. 16-33 (emphasis supplied), 

Denlcer plainly determines, responsive to an ACK message, whether to establish a 

transmission control block by performing an unspecified mathematical function on both the 

client address and a random number. Denker does not show or suggest the claimed step of 
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detenniniTig whether to establish a transmission control block by evaluating an incremented 
value of the Initial Sequence number Receiver side, as claimed- Furthermore, Denker does not 
show or suggest that the random number is incremented by one. In the light that an unspecified 
mathematical function is performed on both the client address and a random number, one of 
ordinary skill would have no reason to assume that the mathematical function only increments 
the random number by one. Even if one of ordinary skill could make the assumption, the 
question of anticipation is resolved by whether the claim reads on the process that Denker 
discloses, not on what i?e/?/cer broadly teaches. Kalman v. Kimberly-Clark Corp., 713 F.2d 76Q, 
218 U.S.P.Q. 781 (Fed. Cir. 1983). Thus, even if Z>e«ter broadly taught the claimed step, that 
fiact would be insufficient to establish that Denker anticipates claim L In addition, because one 
of ordinary skill would have no reason to believe that the cited portion of Denker could teach the 
claimed invention, claim 1 is also non-obvious. 

Claims 2, 1 1 , 1 2, and 14 stand or fall with claim L Claims 1 1 and 14 are independent 
claims containing limitations similar to those present in claim I, 



A J, Claim 3 

The examiner rejects claim 3 as anticipated hy Denker^ further stating that: 

As to dependent claim 3, ^Vherein said computing step further 
comprises the steps of: updating, in a server unit, a pseudo-random 
number {PRN} generator; holding a current key; remembering a 
former key; and using said current key as said randomly generated 
key for said computed Initial Sequence number Receive side" is shown 
in '053 col. 10, line 50 through col 1 1, hue 19. 
Office Action of January 25, 2005, p. 4 (emphasis in original). 

Claim 3 is as follows: 

3. The method according to claim 2, wherein said computing step 
fijrther comprises the steps of: 

updating, in said server unit, a pseudo-random number (PRN) 
generator; 

holding a current key; 

remembering a former key; and 

using said current key as said randomly generated key for said 
Initial Sequence number Receiver side. 

Denker does not anticipate claim 3 because Denker does not show the steps of updating a 
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PRN, holding a current key, remembering a ciiTrent key, and using a current key as claimed. The 

examiner asserts otherwise, citing the following portions of Denkeri 

In accordance with TCP, client 105 then sends a SYN message at step 
4050D in a second attempt to establish the new connection with server 
110. Naturally, the SYN message of step 4050D includes a restatement of 
the client-specified options. Steps 4050D, 5060D and 6070D of FIG, 5 are 
the same as the three step handshake (steps 1020A, 2O30A and 3040A, 
respectively) of FIG. 1 to establish a TCP connection. After step 6070D, 
client 1 05 and server 1 10 have recovered from the half-open connection 
and fully reestablished the new connection. 

TCP2E Protocol 

According to an embodiment of the present invention, TCP2E relies upon 
the ability of a standard TCP client 105 to handle a half-open connection, 
and uses this to provide the server 1 1 0 with an improved defense to a SYN 
Flood attack. 

Prior to step 1020E of the TCP2E protocol (FIG. 6), server 1 10 previously 
stored general information, including its own IP address, and a secret 
known only to the server 110. The secret is typically used for a plurality of 
connection requests. 

According to an embodiment of the present invention, server 1 10 stores in 
memory a Friends Table, which is a table (such as a hash table or a list) 
maintained in server 1 1 0's memory containing the IP addresses (or other 
identifying information) of cUents that have been recently observed to be 
complying with important parts of the TCP protocol. The Friends Table 
may be of constant size, such as one thousand IP addresses. In one 
embodiment of the present invention, server 110 adds a client's IP address 
to the server's Friends Table after a TCP connection has been, established 
between the server and client using any first level protocol (i.e., TCP, 
Bemstein/Schenk Syncookie method, TCP2B, TCP2E). Also, importantly, 
a client's address can be added to the server's Friends Table when the 
client has complied with the initial steps of TCP2E as described below. If 
it is necessary to add a new IP address to the Friends Table and there are 
no fi-ee slots, a slot can be made available using a well known method such 
as random-replacement (where a random IP address is expunged) or least- 
rccently-uscd (where the least recently used IP address m the table is 
expunged) to free up a slot for the new IP address. 
Danker, coL 10, 1, 50 through col 11,1. 24. 

The cited passage manifestly does not show or suggest the use of a key as claimed. The 

invention of claim 3 is directed to using a key for the Initial Sequence number Receiver side. 
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The cited portion of Denker merely teaches randomly replacing entries in the friends table when 
the ftiends table becomes full, A$ shown above, the friends table has nothing to do with 
establishing a connection, whereas the claimed invention is directed towards establishing a 
connection in the first place. Thus, the cited portion of Denker lias nothing to do with the 
mvention of claim 3 and certainly does not show or suggest any of the limitations of claim 3. 
Furthermore, Danker is devoid of disclosure with respect to claim 3. Accordingly, Denker does 
not anticipate claim 3. 

Claims 10 and 13 stand or fall with claim 3. 

A*3 Claim 4 

The examiner rejects claim 4 as anticipated by Denker, further stating that: 

As to dependent claim 4, '^Therein the step of concatenating said 
server signature and said category index further includes the step of 
picking up a category index within said set of predefined connection 
categories on the basis of the content of said received SYN message'^ is 
disclosed in 053 coL 7, lines 47-67. 
Office Action of January 25, 2005, p* 4-5 (emphasis in original). 

Claim 4 is as follows: 

4. The method according to claim 2, wherein the step of 
concatenating said server signature and said category index further 
includes the step of: 

picking a category index wi thin said set of connection categories 
on the basis of content of said SYN message. 

Denker does not anticipate claim 4 because Z)e«fer does not disclose picking a category 

index within said set of connection categories on the basis of content of said SYN message, as 

claimed. The examiner asserts otherwise, citing the following portions of Denker: 

The SYNACK message of step 2030C also includes an encoded value 
(represented in FTG. 4 as $c). For security reasons^ the encoded value $c 
can be calculated by server 1 10 as a cryptologic function (or other 
mathematical function) that depends upon at least the IP address of client 
105 and a secret only known to server 110. Tlie encoded value $c can be a 
ciyptologic function which depends upon one or more additional 
parameters (in addition to the secret and the IP address of client 105), 
including: the client's port, the server's IP address, the server's port, and the 
client's sequence number, among other things. For example, the encoded 
value $c can be calculated by server 1 10 as follows: 



(Appeal Brief Page 15 of 28) 
T.^bcrtori ct al. - 09/755,564 



PAGE 17/30 * RCVD AT S/2312005 3:13:54 PM [Eastern Daylight rune] * SVRiUSPTO-EFXra 



05/23/2005 14:15 9723857766 



YEE & ASSCX:iATES,PC 



PAGE 18 



$c=MD5 hash (client's IP address, client's port, server's IP address, server's 
port, random secret)+cl)ent's initial sequence number,(Eq. 1). 

Equation I states that the encoded value $c can be calculated as the MD5 
hash function of the client's IP address, the client's port, the server's DP 
address, the server's port and the random secret known only to server 1 1 0 
plus the client's initial sequence number (shown as 100 in message 1). 
Denker, col. 7, 11. 47-67 

The cited passage manifestly docs not show or suggest picking a categoiy index, as claimed. 

Nowhere does Denker show or suggest picking a category index, as claimed. Thus, Denker does 

not anticipate claim 4. 



A.4 Claim 5 

The examiner rejects claim 5 as anticipated hy Denker^ further stating that: 

As to dependent claim 5, ^Svherein said updating $tep includes the 
step of: updating said PRN generator at a rate not higher than a 
Maximum Segment Lifetime defmed in said transmission control 
protocol connections'* is taught in *053, col, 7, lines 47-61. 
Office Action of January 25, 2005, p. 5 (emphasis in original) 

Claim 5 is as follows: 

5. The method according to claim 3, wherein said updating step 
includes the step of: 

updating said PRN generator at a rate not higher than a Maximum 

Segment Lifetime defined in said transmission control 

protocol connections. 

Denker does not anticipate claim 5 because Denker shows none of the limitations of claim 

5. The examiner asserts otherwise, citing the following passages from Denker, 

The SYNACK message of step 203 OC also includes an encoded value 
(represented in FIG. 4 as $c). For security reasons, the encoded value $c 
can be calculated by server 1 10 as a crypto logic function (or other 
mathematical function) that depends upon at least the IP address of client 
105 and a secret only known to server 1 10. The encoded value $c can be a 
cryptologic function which depends upon one or more additional 
parameters (in addition to the secret and the TP address of cUent 105), 
including; the client's port, the server's IP address, the server*s port, and tlie 
cHent's sequence number, among other things. For example, the encoded 
value $c can be calculated by server 1 10 as follows: 
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$c=MD5 bash (client's IP address, clienfs port, server's IP address, server's 
port, random secret)+client's initial sequence nuinber.(Eq. 1), 
Denker^ col. 7, Ih 47-61 

The cited passage manifestly does not show or suggest updating a PRN generator at a 

maximum rate, as claimed. Furthermore, Dmker is devoid of disclosure regarding the invention of 

claim 5. Accordingly, Denker does not anticipate claim 5, 



A.5 Claim? 

The examiner rejects claim 7 as anticipated hy Denker, stating that: 

a$ to independent claim 7, "A method for defeating^ in a server unit of 
an IP network, a SYN flooding attack, said method comprising the 
steps of:" is disclosed in *053 col. 4, lines 33-54; 

^Mistening for an ACK message sent from a client unit'' and "resuming 
said listening step" is taught in '053 col. 6, lines 59-60; 



^^upon receiving said ACK message, evaluating a value of an Initial 
Sequence number Receiver side that includes content comprising 
embedded connection parameters specified in a previously received 
SYN message as an authentic computed Initial Sequence number 
Receiver $ide; and responsive to evaluating the value of the Initial 
Sequence Number Receiver side as an authentic computed Initial 
Sequence number Receiver side, allocating resources for a 
transmission control protocol connection according to said content; 
and** is shown in *053 col. 5, line 1-43, 
Office Action of January 25, 2005, p. 5 (emphasis in original). 

Claim 7 is as follows: 

7. A method for defeating, in a server unit of an IP network, a SYN 
flooding attack, said method comprising the steps of: 

listening for an ACK message sent from a client unit; 

upon receiving said ACK message, evaluating a value of an Initial 
Sequence Number Receiver side that includes content 
comprising embedded connection parameters specified in a 
previously received SYN message as an authentic 
computed Initial Sequence Number Receiver side; and 

responsive to evaluating the value of the Initial Sequence Number 
Receiver side as an authentic computed Initial Sequence 
Number Receiver side, allocating resources for a 
transmission control protocol connection according to said 
content; and 

resuming said listening step. 
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Denker does not anticipate claim 7 because Denker docs not show the step of: responsive to 

evaluating the value of the Initial Sequence Number Receiver side as an authentic computed 

Initial Sequence Number Receiver side, allocating resources for a transmission control protocol 

connection according to said content, as claimed. The examiner asserts otherwise, citing the 

following passages from Denker: 

The server then analyzes the encoded value in the ACK message to 
determine if it passes the appropriate mathematical (i.e., cryptologic) test. 
If the encoded value included in the ACK message passes the ^propriate 
mathematical test, then the client is properly complying with the TCP2B 
protocol, and the server allocates a full Transmission Control Block in 
memory, and the connection becomes fiilly established. 

In the TCP2E protocol according to an embodiment of the present 
invention, the server maintains a FViends Table, which is a list of addresses 
of those devices recently observed to be complying with TCP. The client 
requests a TCP connection with a server using a SYN message. The server 
then determines whether the address of the client x$ on the server's Friends 
Table. 

If the client's address is not on the server's Friends Table, the server 
calculates an encoded value. The encoded value is calculated as the 
mathematical function of at least the client's address and a secret (i.e., a 
random number) known only to the server. The server sends an ACK 
message to the client including the calculated encoded value as the 
acknowledgment number. Because the acknowledgment number does not 
acknowledge any messages previously sent by the client, this ACK 
message appears to the client as a half-open connection. The chcnt 
responds by sending a reset message to tihe server, as required by the 
standard TCP specifications. If the reset message passes a mathematical 
test at the server, the server adds the client*s address to the Friends Table. 
Then, in accordance with standard TCP, the client will again attempt to 
establish a TCP connection with the server by re-issuing the SYN message 
to the server. This SYN message (or packet) will be welcomed by the 
server, since the client's address is now in the Friends Table. 

According to TCP2E, if the client's address is on the server^s Friends 
Table, the connection request (i.e., received SYN message) is processed 
according to TCP. A counter associated with each address in the Friends 
Table can be used to keep track of the number of successful connections 
established as compared to the total number of connection requests from 
the client, and allow tlie server to expunge the cUent's address from the 
Friends Table if there are too many unsuccessful connection attempts. 
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Denker, col. 5, 11 1-43. 

The cited passage manifestly does not show or suggest evaluating the Initial Sequence 
number Receive side and allocating resources in the manner claimed. Denker is devoid of 
disclosure regarding the claimed limitation. Thus, Denker does not anticipate claim 7. 

CTaims 8 and 9 stand or fall with claim 7. 

SUMMARY 

Claims 2, 1 1, 12, and 14 stand or fall with claim T. Claims 8 and 9 stand or fall with 
claim 7. Claims 10 and 13 stand or fall with claim 3. Because Denker does not show or suggest 
all of the limitations of any of the claim s^ Denker does not anticipate any of the claims. 
Accordingly, AppHcants respectfully request that the Board overtum the rejections and order that 
the claims be allowed. 
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CLAIMS APPENDIX 
The text of the claims involved in the appeal are: 

1 . (Previously Presented) A method for defeating, in a server unit of an Internet Protocol 
network, a SYN flooding attack, said server unit running Transmission Control Protocol to allow 
the establishment of one or more transmission control protocol connections with one or more 
client units, said method comprising the steps of: 

upon having activated the transmission control protocol in said server unit, 

listening for the receipt of a SYN message sent from a client unit; 

upon receiving said SYN message, 

computing an Initial Sequence number Receiver side, wherein said Initial Sequence 

number Receiver side is embedded with connection parameters specified in the 
SYN message; 

responding to said client unit with a SYN-ACK message including said Initial Sequence 

number Receiver side; 
resuming to said listening step; and 

responsive to receiving an ACK message, determining whether to establish a transmission 
control block for the client unit by evaluating an incremented value of the Initial 
Sequence number Receiver side included in the ACK message. 
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2. (Previously Presented) The method according to claim 1 wherein the step of computing 
said Initial Sequence number Receiver side fiirther includes the steps of: 

concatenating a randomly generated key with an identification of one of sai d transmission 
control pTotqcol connections, said identification including: 

a client socket and a server socket; 

a server signature calculated by hashing said concatenation; and 
a concatenation of said server signature and a category index referring to a set of 
predefined transmission control protocol connection categories. 

3- (Previously Presented) The method according to claim 2, wherein said computing step 
further comprises tlic steps of: 

updating, in said server unit, a pseudo-random number (PRN) generator; 

holding a current key; 

remembering a former key; and 

using said current key as said randomly generated key for said Initial Sequence number 
Receiver side. 



4. (Previously Presented) The method according to claim 2, wherein the step of 
concatenating said server signature and said category index further includes the step of: 

picking a category index within said set of connection categories on the basis of content 
of said SYN message. 
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5. (Previously Presented) The method accorduig to claim 3, wherein said updating step 
includes the step of: 

updating said PRN generator at a rate not higher than a Maximum Segment Lifetime 
defmed in said transmission control protocol coimections. 

6. (Canceled) 

7. (Previously Presented) A method for defeating, in a server unit of an IP network, a SYN 
flooding attack, said method comprising the steps of: 

listening for an ACK message sent fiX)m a client unit; 

upon receiving said ACK message, evaluating a value of an Initial Sequence Number 

Receiver side that includes content comprising embedded connection parameters 
specified in a previously received SYN message as an authentic computed Initia]. 
Sequence Number Receiver side; and 

responsive to evaluating the value of the Initial Sequence Number Receiver side as an 
authentic computed Initial Sequence Number Receiver side, allocating resources 
for a transmission control protocol connection according to said content; and 

resuming said listening step. 

8. (Previously Presented) The method of claim 7, further including: 

interpreting a category index extracted from said value of the Initial Sequence Number 
Receiver side . 
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9. (Previously Presented) The method according to claim 8, wherein the allocating step 
includes the step of: 

selecting a predefined set of parameters, for said transmission control protocol 
connection, on the basis of the category index. 

10. (Previously Presented) The method according to claim 7, wherein the step of evaluating 
said Initial Sequence Number Receiver side incjudes, upon receiving said ACK message, the 
steps of: 

having, firstly, selected a current key: 
getting said current key; 

concatenating said current key with an identification of said transmission control protocol 
connection, said identification including: 
a client socket and a server socket; 

hashing said concatenation of the current key and the identification^ thus obtaining a re- 
computed server signature; 

extracting an acknowledgment field from said AGK message; 

decrementing content of said acknowledgement field; 

extracting a server signature from the decremented content; and 

comparing said rc-computcd server signature and said extracted server signature. 

1 1 . (Previously Presented) A computer program product for defeating, in a server unit of an 
Internet Protocol network , a SYN flooding attack, said server unit running Transmission Control 
Protocol to allow the establishment of one or more transmission control protocol connections 
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with one or more client units, said computer program product having computer readable program 
code comprising: 

computer readable program code, responsive to having activated the transmission control 
protocol in said server unit, for Ustening for the receipt of a SYN message sent 
from a client unit; 

computer readable program code for computing an Initial Sequence number Receiver side 
responsive to receiving said SYN message, wherein said Initial Sequence number 
Receiver side includes embedded connection parameters ; 

computer readable program code for responding to said client unit with a SYN-ACK 
message including said Initial Sequence number Receiver side; 

computer readable program code for resuming said listening step; and 

computer readable program code for, responsive to receiving an ACK message, 

determining whether to establish a transmission control block for the client unit by 
evaluating an incremented value of the Initial Sequence number Receiver side 
included in the ACK message. 

1 2. (Previously Presented) The computer program product according to claim 1 U wherein 
the computer readable program code for computing said Initial Sequence number Receiver side 
flirther includes: 

computer readable program code for calculating a concatenation of a randomly generated 
key with an identification of one of said one or more transmission control protocol 
connections, said identification including: 

a client socket and a server socketj 
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a server signature calculated by hashing said concatenation; and 
a concatenation of said server signature and a category index referring to a set of 
predefined transmission control protocol connection categories, 

13. (Previously Presented) The computer program product according to claim 11 or 1 2 
wherein said computing step further comprises the steps of: 

computer readable program code means for updating, in said server unit, a pseudo* 

random number (PRN) generator; 
computer readable program code for holding a current key; 
computer readable program code for remembering a former key; and 
computer readable program code for using said current key as the former key for 

evaluating said Initial Sequence number Receiver side. 

1 4. (Previously Presented) A system for implementing a shield for defeating TCP SYN 
flooding attacks, said system comprising: 

an Internet Protocol network; 

a server unit running Transmission Control Protocol to allow the establishment of one or 
more transmission control protocol connections; and 

one or more client units; wherein, once said Transmission Control Protocol is activated in 
said server unit, said server unit listens for the receipt of a SYN message firom one 
or more of said client units, and whereupon receiving said SYN message from a 
client unit, said server unit computes an Initial Sequence number Receiver side 
having connection parameters embedded therein, responds to said client unit with 
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a SYN-ACK message including said Initial Sequence number Receiver side and 
resumes listening for further SYN messages, and wherein said server unit, 
responsive to receiving an ACK message, determines whether to establish a 
transmission control block for the client unit by evaluating a value comprising an 
increment of the Initial Sequence number Receiver side included in the ACK 
message. 
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EVIDENCE APPENDIX 

There is no additional evidence to be presented. 
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BELATED PROCEEDINGS APPENDIX 
There axe no related proceedings. 
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